Message	Id	Version	Level	Task	Keywords	RecordId	ProviderName	ProviderId	LogName	ProcessId	ThreadId	MachineName	TimeCreated	ActivityId	ContainerLog	MatchedQueryIds	Bookmark	LevelDisplayName	OpcodeDisplayName	TaskDisplayName	KeywordsDisplayNames	Properties
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	17881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:28:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	17880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x85ABA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x85ABA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50447 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x85ABA7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xAE8C1 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf08 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	17874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	17873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	17872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b8bee278db186686a8f72a67e18bedf6_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	17871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:27:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x839302 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:26:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84B742 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:26:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84B742 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:26:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84B742 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:26:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:26:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x84398C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:25:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x84398C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50439 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:25:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x84398C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:25:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83CE4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83CE4D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83CE4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83A213 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83A213 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83A213 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8391B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x839302 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x839302 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8392A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8392A5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8392A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83925C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83925C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83925C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8391B1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2196331140-1123242790-2794751651-1347068916 Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8391B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82E95A84-5326-42F3-A386-94A6F4A34A50 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:24:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x83445A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:23:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x83445A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50424 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:23:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x83445A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:23:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x82A783 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:21:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x82A783 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50420 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:21:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x82A783 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:21:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:21:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x815C95 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x81AAF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x81AAF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x81AAF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x817B8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x817B8A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x817B8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x815C95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50417 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x815C95 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814D1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E79 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E20 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814E20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814DD6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814DD6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814DD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814D1D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-423876661-1336257912-602239900-2379965406 Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x814D1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1943D835-AD78-4FA5-9C73-E523DE63DB8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3624	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:19:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x80AA36 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:17:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x80AA36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50405 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:17:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x80AA36 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:17:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F200D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:16:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7FC25D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:15:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7FC25D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50394 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:15:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7FC25D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:15:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F5B7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F5B7E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F5B7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F2CFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F2CFD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F2CFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1EC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F200D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F200D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1FB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1FB4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1FB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1F6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1F6B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1F6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1EC4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3493059490-1215249869-508546193-2139061520 Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F1EC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D033DBA2-3DCD-486F-91CC-4F1E107D7F7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:14:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7ECCFD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:13:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7ECCFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50376 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:13:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7ECCFD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:13:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7E2B56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:11:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7E2B56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50372 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:11:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7E2B56 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:11:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBDEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:10:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7D1511 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7D1511 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50369 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7D1511 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF779 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF779 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CCD12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CCD12 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CCD12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBC9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBDEB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBDEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD8E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD8E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD45 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBD45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBC9E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2874058148-1129717473-2598099367-4001754053 Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CBC9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB4EA5A4-1EE1-4356-A7D9-DB9AC5EB85EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:09:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7C1A0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:07:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7C1A0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50360 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:07:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7C1A0C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:07:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B12DE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:06:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0915 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B33D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B33D6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B33D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1FF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1FF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1FF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B118F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B12DE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B12DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1283 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B1283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7AF0C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B123A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B123A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B123A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B118F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3956688636-1256684908-3918880952-3807505776 Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B118F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBD646FC-7D6C-4AE7-B860-95E970EDF1E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0994 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0971 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0994 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50352 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0994 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50353 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50354 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B09B5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50350 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B096E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0971 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50348 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0971 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50351 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B098E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B096E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50349 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B096E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0915 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50347 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7B0915 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7AF0C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50346 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7AF0C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:05:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7A4735 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:03:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7A4735 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50336 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:03:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7A4735 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:03:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x799E2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:01:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x799E2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50329 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:01:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x799E2C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:01:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7786EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 3:00:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x787049 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:59:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x787049 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50324 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:59:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x787049 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:59:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FCFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:58:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FCFF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:58:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FCFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:58:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:58:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77C0B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77C0B2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77C0B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779404 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779404 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779404 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77859E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7786EE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7786EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778691 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778691 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778691 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778648 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778648 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x778648 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77859E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1842673073-1201421349-1889270964-1348593685 Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77859E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DD4F5B1-3C25-479C-B4FC-9B7015E86150 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x774938 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x774938 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50317 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x774938 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:57:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765170 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4684	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76C371 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76C371 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76C371 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x768852 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x768852 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x768852 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766056 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766056 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766056 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76501C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765170 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765170 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765113 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765113 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765113 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7650C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7650C5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7650C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76501C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-886222587-1091059286-2511677623-335703343 Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76501C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34D2AEFB-3E56-4108-B728-B5952F6D0214 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:56:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753507 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x75CA93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x75CA93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F73D4503-6846-C61C-D95E-1E1F0EF758DB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x75CA93 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75ADC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75ADC2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75ADC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75719B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75719B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75719B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7517BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x754289 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x754289 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x754289 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7533BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753507 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753507 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7534AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7534AA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7534AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753461 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753461 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x753461 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7533BA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1429198430-1156891764-1346927525-3950117500 Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7533BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552FD65E-C474-44F4-A57B-48507C0272EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7517BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50314 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7517BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:55:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FDC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74372A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74372A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74372A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740CE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740CE2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740CE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FC7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FDC8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FDC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD6B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD22 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FD22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FC7D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4086119813-1284898253-3423441588-1894708530 Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73FC7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F38D3D85-FDCD-4C95-B492-0DCC32F5EE70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x73CE35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x73CE35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50304 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x73CE35 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730F55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x734C1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x734C1D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x734C1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:53:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731C13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731C13 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731C13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730E09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730F55 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730F55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EAF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730EAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730E09 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2784519997-1274693203-3450213032-1324470957 Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x730E09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A5F8673D-4653-4BFA-A812-A6CDADD2F14E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712D37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728C29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728C29 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728C29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:52:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7210CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:51:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x7210CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50287 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:51:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x7210CA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:51:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716703 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716703 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716703 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x70FF07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713C2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713C2A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713C2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712BF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712D37 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712D37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712CDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712CDE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712CDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712C95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712C95 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712C95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712BF0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2184927965-1093709489-2047080377-1119915972 Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712BF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 823B5ADD-AEB1-4130-B9F7-037AC48FC042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7080A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x70FF07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50284 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x70FF07 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70A173 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70A173 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70A173 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708D91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708D91 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708D91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707F51 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7080A2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7080A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708045 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708045 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x708045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707FFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707FFC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707FFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707F51 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616022113-1094877329-93307560-3909433055 Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x707F51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7881E61-8091-4142-A8C2-8F05DF3605E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:49:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECDAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:48:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6FA4AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:47:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6FA4AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50269 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:47:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6FA4AF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:47:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F09AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F09AE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F09AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EDC96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EDC96 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EDC96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECC5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECDAB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECDAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD4E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD05 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD05 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECD05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECC5A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258549833-1152487652-667581326-1065712926 Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECC5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B03F249-90E4-44B1-8E7B-CA271E7D853F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6E520C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D08BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6E520C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6E520C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:45:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6DA473 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:43:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6DA473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50236 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:43:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6DA473 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:43:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D4315 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D4315 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D4315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1593 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1593 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1593 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0771 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D08BC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D08BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0863 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0863 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0863 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0816 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0816 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0816 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0771 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2724651576-1311524822-103539898-3454778028 Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D0771 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A266E238-47D6-4E2C-BAE4-2B06ACBAEBCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4A73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C521E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:42:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C731D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C731D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C731D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6132 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6132 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6132 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C50D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C521E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C521E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C51C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C51C5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C51C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C517C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C517C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C517C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C50D5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-694709844-1190106611-2923788429-2699304036 Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C50D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29686E54-95F3-46EF-8D78-45AE641CE4A0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4B16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AF8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ADE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4B16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50231 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4B16 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50228 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AE6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50230 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AF8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ADE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50229 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ADE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50226 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50227 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4ACE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50225 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4AC2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4A73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50224 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C4A73 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C1D66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6C1D66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6C1D66 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:41:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6B3A5A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:39:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB75D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:39:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6B3A5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50213 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:39:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6B3A5A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:39:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEF1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEF1F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEF1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AC439 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AC439 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AC439 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB612 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB75D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB75D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB704 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB704 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB704 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB6B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB6B7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB6B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB612 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1300840179-1214558022-1902763394-2685246689 Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB612 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4D893EF3-AF46-4864-82DD-6971E19C0DA0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1975 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2128 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A4226 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A4226 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A4226 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A3042 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A3042 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A3042 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1FC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2128 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A20CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A20CF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A20CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2082 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2082 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2082 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1FC8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4278017450-1290999900-873064380-1114641155 Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1FC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FEFD5DAA-185C-4CF3-BCE7-093403137042 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1A1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50203 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50201 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50202 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1A1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50204 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1A1F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50198 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50200 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 50199 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A19D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1975 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 50197 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6A1975 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:38:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x69726E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:37:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F8D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:37:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x69726E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50186 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:37:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x69726E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:37:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6931EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6931EB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6931EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6906CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6906CC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6906CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F784 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F8D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F8D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F877 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F877 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F877 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F82A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F82A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F82A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F784 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-157547075-1124606331-4194918304-1302345781 Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68F784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0963FA43-217B-4308-A05F-09FA3538A04D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688682 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688682 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688682 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x685C40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x685C40 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x685C40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D5B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D02 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684D02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684CB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684CB5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684CB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C10 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-778231940-1245567099-159712697-250197590 Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E62E084-D87B-4A3D-B905-850956B6E90E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:36:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E9A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AB12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AB12 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AB12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677C07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677C07 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677C07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676D4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E9A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676E3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676DF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676DF4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676DF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676D4D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2719491666-1130366731-220276611-3484788726 Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x676D4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2182652-070B-4360-8327-210DF6A7B5CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x674D80 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2728	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x674D80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50179 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x674D80 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:35:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65047D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:34:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x669705 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:33:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x669705 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50172 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:33:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x669705 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:33:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x65F526 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:31:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x65F526 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50168 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:31:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x65F526 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:31:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6528AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x653E91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x653E91 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x653E91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x6528AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50165 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x6528AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65117A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65117A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65117A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650131 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65047D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65047D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6503BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6503BF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6503BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650274 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650274 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650274 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650131 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1594301638-1195813909-2477918650-2885748114 Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x650131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5F071CC6-AC15-4746-BA09-B293920501AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:29:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:28:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x63BEEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x640601 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x640601 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x640601 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63DDCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63DDCE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63DDCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CD27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE70 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE17 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CE17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CDCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CDCE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CDCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CD27 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3173375026-1309230497-713979033-3679986455 Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63CD27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD25DC32-45A1-4E09-9974-8E2A172358DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B48A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x63BEEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50158 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x63BEEE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:27:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF01 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62C391 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62C391 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62C391 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B33E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B48A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B48A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B42F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B42F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B42F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B3E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B3E4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B33E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2698449398-1105814587-1023071676-2307250816 Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B33E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A0D711F6-643B-41E9-BCD5-FA3C80DA8589 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x628E3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x628E3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50154 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x628E3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x622D3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617520 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:25:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x626CC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x626CC3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x626CC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	3628	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x622D3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50149 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x622D3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:24:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61AF27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61AF27 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61AF27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x615BAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61820E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61820E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61820E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6173CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617520 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6174C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6174C3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6174C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61747A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61747A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61747A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6173CF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2373826765-1186934476-3829910406-574092747 Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6173CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8D7DB8CD-2ECC-46BF-86CB-47E4CBF53722 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x615BAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50142 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x615BAE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606076 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:22:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608176 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608176 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608176 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606D4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606D4D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606D4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605F29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606076 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606076 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60601D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60601D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60601D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605FD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605FD4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605FD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605F29 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1274927592-1127970424-4043242937-1326813757 Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x605F29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4BFDD9E8-7678-433B-B9FD-FEF03D92154F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5FF312 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5FF312 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50134 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5FF312 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:21:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F815E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F815E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F815E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F5529 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F5529 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F5529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F44AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45FC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45A3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F45A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4556 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4556 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F44AF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1305902093-1207934738-3254918294-1328271437 Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F44AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DD67C0D-9F12-47FF-961C-02C24DD02B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5EF422 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	4412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5EF422 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50129 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5EF422 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:19:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA8F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:18:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5E02CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	856	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:17:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5E02CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50114 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5E02CA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE45D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE45D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE45D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB5F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB5F4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB5F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA7A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA8F0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA8F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA897 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA897 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA897 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA84A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA84A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA84A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA7A4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2727494497-1162781157-1522236578-3452106324 Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA7A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2924361-A1E5-454E-A27C-BB5A54F6C2CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:16:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5CD362 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:15:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B828B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:14:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5CD362 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50107 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:14:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5CD362 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:14:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5BF226 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:14:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5BF226 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50097 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5BF226 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD717 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD717 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	17003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD717 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	17002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	17001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA843 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	17000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA843 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA843 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B812B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B828B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B828B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8232 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8232 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8232 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B81E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B81E4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B81E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B812B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782962521-1243838673-3063162015-3754530937 Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B812B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E17B6D59-78D1-4A23-9F24-94B67998C9DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:12:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5A811C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:11:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F1F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5A811C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50087 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5A811C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A601E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A601E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A601E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3BA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3BA2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3BA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F0CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:10:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5942C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:09:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x5942C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50075 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x5942C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592BC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592BC2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592BC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FE02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FE02 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FE02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EEB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F0CB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F0CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F021 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F021 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F021 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EEB7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3095541352-1329373904-1936759707-2901993162 Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EEB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B8823668-A2D0-4F3C-9B9B-7073CAE6F8AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x56DF5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D14A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:08:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582D1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582D1F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x582D1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57FEFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57FEFE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57FEFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F0A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F1F0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F1F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F197 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F197 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F197 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F14A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F14A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F0A5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1995575466-1256483811-2431500455-1120361063 Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57F0A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76F210AA-6BE3-4AE4-A7C0-ED90675AC742 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538932 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:07:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FB4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F399 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F399 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F399 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x56DF5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50054 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x56DF5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CE21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF7C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF23 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CF23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CED9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CED9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CED9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CE21 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2217019118-1341626081-3806821781-3476003069 Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56CE21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 842506EE-96E1-4FF7-957D-E7E2FD982FCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:06:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561027 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561027 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E0C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E0C8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E0C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55CFFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D14A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0F1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0A4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D0A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55CFFE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-668687781-1184400426-40133559-2746980161 Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55CFFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27DB5DA5-842A-4698-B763-64024197BBA3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x55841E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:05:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x55841E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50025 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x55841E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5522CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5522CF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5522CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:04:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x547D43 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:03:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x547D43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 50004 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:02:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x547D43 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:02:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x535E92 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:02:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53C74E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53C74E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53C74E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539633 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539633 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539633 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5386B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538932 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538932 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5388D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5388D9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5388D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538890 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538890 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538890 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5386B1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1792192392-1145364401-1608626352-1027834217 Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5386B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AD2AF88-DFB1-4444-B0B0-E15F6981433D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:01:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x535E92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49983 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:00:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x535E92 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:00:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516DFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 2:00:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A6B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x51476A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520350 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520350 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x520350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51CD97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51CD97 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51CD97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B3ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B3ED Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B3ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A55E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A6B2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A6B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A650 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A650 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A650 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A607 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A607 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A607 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A55E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-305372902-1127673298-2425474476-2349440345 Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A55E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12339EE6-EDD2-4336-ACCD-9190599D098C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517D58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517D58 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517D58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516CAC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516DFE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516DFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D9B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D52 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D52 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516D52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516CAC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735834943-1118761929-2979154089-4231709928 Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516CAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BDBF33F-F3C9-42AE-A948-92B1E8C43AFC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:59:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x51476A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49971 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x51476A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5C00 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50FC71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50FC71 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50FC71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:58:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4EEFE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5003DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503A28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503A28 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503A28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50135C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50135C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50135C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500295 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5003DD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5003DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500384 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500384 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500384 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50033B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50033B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50033B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500295 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-939558185-1116582828-3691225519-1572637988 Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x500295 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 38008529-B3AC-428D-AFA1-03DC248DBC5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:57:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445CF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6086 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4EEFE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49955 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4EEFE8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA28A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA28A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA28A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E70CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E70CB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E70CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5F3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6086 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6086 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E602D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E602D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E602D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5FE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5FE4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5FE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5F3A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764724474-1301567503-3090143144-3698266858 Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5F3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692F8EFA-580F-4D94-A8D7-2FB8EA126FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:56:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4D8E7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9CA6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9CA6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9CA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4D8E7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49933 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4D8E7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D69AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D69AA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D69AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D58B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5C00 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5C00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5AF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5AF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5AF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D59A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D59A7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D59A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D58B0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2327479761-1146296813-1226442114-599209099 Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D58B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8ABA85D1-19ED-4453-8205-1A498B34B723 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8963 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CCA71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CCA71 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CCA71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C99B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C99B2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C99B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8813 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8963 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8963 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8906 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8906 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C88BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C88BD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C88BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8813 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3147547714-1267806655-3593559992-2452892607 Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C8813 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB9BC442-31BF-4B91-B85F-31D6BF2B3492 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:54:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4B5FEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB353 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BDB06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BDB06 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BDB06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC336 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC336 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC336 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB20C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB353 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB353 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2FA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2B1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB2B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB20C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-149917164-1269911926-567631804-990239829 Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB20C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08EF8DEC-5176-4BB1-BC5F-D52155DC053B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B07C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:53:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4B5FEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49915 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4B5FEA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B2FFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B2FFF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B2FFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B18F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B18F7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B18F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0280 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B07C7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B07C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0638 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0638 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0638 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B04F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B04F2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B04F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0280 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3587977398-1243546813-2668928896-3964265306 Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D5DC30B6-04BD-4A1F-809F-149F5AE349EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1962 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:52:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x49402A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A6171 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A6171 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A6171 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A2728 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A2728 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A2728 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A180E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1962 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1962 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1909 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1909 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1909 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A18C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A18C0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A18C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A180E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-966816710-1119994811-1657856901-2272135240 Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A180E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39A073C6-C3BB-42C1-85E3-D06248086E87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493436 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:51:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4976A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4976A8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4976A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x494463 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x494463 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x494463 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x49402A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49890 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x49402A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4932EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493436 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493436 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4933DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4933DD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4933DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493394 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493394 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x493394 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4932EA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3636528833-1306348018-3808687293-2983252409 Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4932EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8C106C1-49F2-4DDD-BDF4-03E3B9D1D0B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4885A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48ABFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48ABFA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48ABFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x489352 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x489352 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x489352 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488451 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4885A8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4885A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48854F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48854F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48854F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488506 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488506 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488506 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488451 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-302693714-1089749413-3167047587-1780444903 Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x488451 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 120ABD52-41A5-40F4-A34F-C5BCE76E1F6A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E0F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:50:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48078C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48078C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48078C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47F14A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47F14A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47F14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47DFA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E0F4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E0F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E097 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E097 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E097 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E04E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E04E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47E04E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47DFA8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3409887456-1312624654-2995146128-341260329 Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47DFA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB3EC0E0-100E-4E3D-904D-86B229385714 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:49:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x473105 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458EB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473CD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473CD9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x473CD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x473105 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49881 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x473105 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E2D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467D14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467D14 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467D14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467943 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467943 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467943 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E628 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E628 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E628 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4586FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458EB4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458EB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458CDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458CDE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458CDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4589D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4589D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4589D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4586FE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2729549845-1139103856-4137723825-3456361434 Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4586FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2B1A015-5870-43E5-B1A7-A0F6DAE303CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4565DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4565DC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4565DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44A996 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44A996 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44A996 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:48:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44825F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44825F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44825F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445B92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445CF1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445CF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C98 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C4E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445B92 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794487899-1094999281-3202703250-4249616774 Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445B92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A690805B-5CF1-4144-925F-E5BE86014CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4357EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4423EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4423EF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4423EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4308D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4397C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4397C5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4397C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:47:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43676F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43676F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43676F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4356A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4357EE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4357EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x435795 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x435795 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x435795 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43574C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43574C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43574C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4356A3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1664264262-1260426905-1846451090-3201641846 Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4356A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6332A846-9699-4B20-929B-0E6E762DD5BE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433DE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433DE9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433DE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DDB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432681 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432681 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432681 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4308D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49844 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x4308D8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CD59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AF9A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AF9A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AF9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42028C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42028C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42028C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DF6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E2D9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E2D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E0B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E0B4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E0B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E062 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E062 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E062 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DF6F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-692157385-1188914631-606998165-3226504783 Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DF6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29417BC9-65C7-46DD-950E-2E244F8E50C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DCA0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DCA0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41DCA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CBF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CD59 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CD59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCFC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCAA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CCAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CBF1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3276734461-1329776263-2459143607-3646902684 Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41CBF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C34EFFFD-C687-4F42-B78D-93929C515FD9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:46:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x413FD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:45:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x413FD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49831 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:44:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x413FD3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:44:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E5BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC307 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB264 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF33E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF33E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF33E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F89E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F89E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F89E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:43:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x3F141A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4C34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4C34 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4C34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3AB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E96 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3E3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3D55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3D55 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3D55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3AB5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3857139337-1338753620-2846573717-2218976692 Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3AB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E5E74689-C254-4FCB-9544-ABA9B4E54284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x3F141A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49812 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x3F141A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC26F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E8B20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E8B20 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E8B20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:42:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x3CB001 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0668 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0668 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0668 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD27D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD27D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD27D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC128 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC26F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC26F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC216 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC216 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC216 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC1CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC1CD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC1CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC128 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1209468056-1169169292-4065616282-1181151623 Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48170498-1B8C-45B0-9A61-54F287F16646 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:41:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C88AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1A04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1A04 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1A04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CF374 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CF374 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CF374 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CC3BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CC3BE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CC3BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB074 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB264 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB264 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB206 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB206 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB206 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB1A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB1A5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB1A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB074 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4148059656-1217110343-3987802546-1535763502 Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CB074 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F73E5E08-A147-488B-B209-B1ED2EE4895B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x3CB001 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49808 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x3CB001 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9838 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9838 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9838 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C875D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C88AD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C88AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8854 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8854 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8854 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8803 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8803 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C8803 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C875D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2575976728-1101705421-3788845966-1141947378 Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C875D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 998A4918-B0CD-41AA-8E33-D5E1F2BB1044 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D367 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:40:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x388BAD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E202 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F67 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398D36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BA23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1113 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1113 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1113 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x399E2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x399E2F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x399E2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398BD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398D36 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398D36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398CDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398CDB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398CDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398C8E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398C8E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398C8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398BD1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-310397386-1175747771-2242248859-3448634320 Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398BD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 128049CA-7CBB-4614-9B00-A685D0FB8DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:39:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DC9C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DC9C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DC9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x388BAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49795 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x388BAD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3865CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3865CB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3865CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F67 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F06 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384F06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EAD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E07 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1924853088-1326393732-148294811-3398307149 Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72BAED60-2984-4F0F-9BCC-D6084D0D8ECA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D4AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371A7F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371A7F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371A7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341E34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:38:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C767 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C767 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C767 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36266D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36266D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36266D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3620FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3620FF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3620FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35F903 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35F903 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35F903 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DD7A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E202 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E202 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DF91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DF91 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DF91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DEBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DEBD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DEBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DD7A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-217733801-1324314793-219002025-4150885892 Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DD7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CFA5AA9-70A9-4EEF-A9B4-0D0D047E69F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CEBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D4AC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D4AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D294 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D294 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D294 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D126 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D126 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D126 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CEBD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170841335-1096321870-726465173-4209700538 Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CEBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A2ED4F7-8B4E-4158-95FA-4C2BBAEEEAFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34AE57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34AE57 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34AE57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3287A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x343639 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x343639 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x343639 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341C73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341E34 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341E34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341DC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341DC0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341DC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341D6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341D6A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341D6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341C73 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787195898-1234451266-473803394-3807872544 Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341C73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8671FA-3B42-4994-82AA-3D1C2086F7E2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:37:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x335311 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339B47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339B47 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339B47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x336D8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x336D8C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x336D8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x335311 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49767 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x335311 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33272C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33272C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33272C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F7C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F7C9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F7C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E44D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E44D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E44D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D1E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D367 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D2DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D2DB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D2DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D28C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D28C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D28C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D1E3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3417306257-1312841060-3024325299-1591125919 Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D1E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBAFF491-5D64-4E40-B38A-43B49FA7D65E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B771 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BA23 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BA23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B9B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B9B3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B9B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B95A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B95A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B95A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B771 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712505250-1115978988-1888271000-655761700 Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B771 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A77F7A2-7CEC-4284-98BA-8C7024211627 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32998C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32998C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32998C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32864B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3287A6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3287A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328748 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328748 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3286FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3286FF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3286FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32864B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3994392302-1096487491-1877777572-2482835594 Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32864B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE1596EE-1243-415B-A49C-EC6F8A10FD93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2584ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:36:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE6B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317A63 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317A63 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317A63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3168FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A81 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A28 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x316A28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3169C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3169C7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3169C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3168FA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160967890-1255119955-3295765405-2544794393 Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3168FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09982CD2-9C53-4ACF-9D63-71C4197BAE97 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F6E78 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEC90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9930 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3078F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3078F1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3078F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304244 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304244 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x304244 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:35:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30218A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30218A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30218A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3003EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3003EA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3003EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE7E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	16003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEC90 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	16002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEC90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	16001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	16000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEAB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEAB1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEAB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEA04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEA04 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEA04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE7E2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2209662996-1323952200-1371998905-299557985 Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE7E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83B4C814-E848-4EE9-B90A-C75161E4DA11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FDB3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FDB3B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FDB3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC0DE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC307 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC307 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC296 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC296 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC229 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC229 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC229 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC0DE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3390069815-1105471072-3569761154-4280391247 Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FC0DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA105C37-2660-41E4-823B-C6D44F9621FF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FA70C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FA70C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FA70C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F97E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9930 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9930 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F98D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F98D7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F98D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F988E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F988E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F988E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F97E5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1228634868-1111073521-6817170-1656676943 Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F97E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 493B7AF4-A2F1-4239-9205-68004FE2BE62 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:49 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D6E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D64 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49734 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49735 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8DA2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D69 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49733 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D93 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49732 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49731 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D73 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D6E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49729 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D69 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49730 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D64 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49728 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F8D1A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x2F6E78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49725 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2F6E78 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAADD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF5B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF5B5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF5B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC06B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC06B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC06B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBF99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBF99 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBF99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EA814 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAADD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAADD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA83 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA2B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EAA2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EA814 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2737331539-1121513867-1742263998-2448535539 Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EA814 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A3285D53-F18B-42D8-BED6-D867F3AFF191 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3850 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:34:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2F2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2F2D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2F2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2B1EC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E020C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E020C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E020C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D957A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D957A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D957A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8FEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8FEB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8FEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D73A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74FE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74A1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D74A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D7454 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D7454 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D7454 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D73A0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2604816410-1131887423-385594790-2818180903 Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D73A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B42581A-3B3F-4377-A6B5-FB162707FAA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6CE0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6CE0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6CE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D47E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D47E7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D47E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3709 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3850 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3850 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37F7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37AE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D37AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3709 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2503970192-1130261732-1999729030-3534453213 Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3709 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 953F8D90-6CE4-435E-8671-3177DD79ABD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7E67 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB4A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB4A6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB4A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C8D15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C8D15 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C8D15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C76FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7E67 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7E67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7DD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7DD5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7DD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7B8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7B8F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C7B8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A851F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C76FD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2649054467-1324334419-930600863-1700286547 Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C76FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DE55D03-BD53-4EEF-9FD7-773753505865 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C2BE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C2BE4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C2BE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:33:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A08 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A18 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A15 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49691 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A2B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49686 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A18 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49690 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49689 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A1D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A15 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49687 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C0A08 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49685 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49684 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49683 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2C09A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293EE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6773 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6773 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6773 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B59EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B59EE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B59EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2102 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2102 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2102 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x2B1EC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49668 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x2B1EC1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AD9A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AD9A7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AD9A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AB060 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AB060 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AB060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AAD87 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AAD87 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AAD87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AA14E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AA14E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2AA14E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:27 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8303 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A851F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A851F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A84C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A84C6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A84C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8442 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8442 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8442 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8303 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3838860132-1085239418-283057071-2474121273 Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A8303 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4D05B64-707A-40AF-AF1B-DF1039187893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A1F96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A1F96 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A1F96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:32:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D52D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D52D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D52D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2891ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29567E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29567E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29567E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293D9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293EE5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293EE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E8C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E43 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293D9D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1809157002-1202196532-1788317312-4227599106 Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293D9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6BD58B8A-1034-47A8-808E-976A020BFCFB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:39 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292418 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292418 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292418 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E202 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC39 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC39 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:25 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288CA7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2891ED Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2891ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2890CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2890CE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2890CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288F43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288F43 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288F43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288CA7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3048852874-1240657475-2372532910-2873503226 Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288CA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5B9CD8A-EE43-49F2-AEFA-698DFA2D46AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278310 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:31:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27ED84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27ED84 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27ED84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x272042 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AA4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AA4A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AA4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x279331 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x279331 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x279331 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2781B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278310 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2782A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2782A3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2782A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27825A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27825A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27825A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2781B1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1402077024-1163198952-4061597588-3031862764 Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2781B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5391FF60-01E8-4555-940F-17F2EC8DB6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x275885 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x275885 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x275885 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2747A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27488F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27488F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27488F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274846 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274846 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274846 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2747A1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2762422224-1125571605-2082220673-2904477862 Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2747A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4A737D0-DC15-4316-812A-1C7CA6D01EAD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D73 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x272042 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49640 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x272042 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F0C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F0C9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F0C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DEAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E202 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E202 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E101 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E101 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E101 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DFF5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DFF5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DFF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DEAE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2920416101-1322810145-1217256071-3400769836 Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DEAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE120365-7B21-4ED8-87DA-8D482CA1B3CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249341 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267659 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267659 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:30:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D5AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE9A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D06A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:48 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D06A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D06A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:48 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25B008 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25B008 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25B008 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x259A27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x259A27 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x259A27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257E5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2584ED Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2584ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2581D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2581D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2581D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2580AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2580AB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2580AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257E5B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1360483336-1193684270-2875779721-59498693 Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257E5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51175408-2D2E-4726-89EA-68ABC5E08B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B0D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252520 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252520 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FD49 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE9A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE37 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FE37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FDEE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FDEE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FDEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FD49 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3229266197-1225696102-1015879583-1179921523 Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24FD49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C07AB115-A366-490E-9F17-8D3C732C5446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24E392 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24E392 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24E392 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D628 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D634 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D649 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D630 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D629 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D62A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D637 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D637 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49627 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D637 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D649 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49626 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D630 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49624 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D649 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D630 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D629 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49625 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D62A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49622 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D629 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D62A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D634 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49621 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D634 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D628 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 192.168.0.75 Source Port: 49623 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D628 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D5AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H1-760455-3 Source Network Address: 10.222.0.102 Source Port: 49620 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x24D5AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x23023E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A102 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A102 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A102 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249092 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249341 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249341 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2492E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2492E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2492E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24928F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24928F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24928F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249092 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2356962384-1115962209-1889520561-1634816536 Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249092 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8C7C6450-3B61-4284-B1CB-9F7018527161 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x246718 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x246718 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x246718 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F2AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F56B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F56B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F56B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E464 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E5BF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E5BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E557 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E557 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E557 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E509 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E509 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E509 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E464 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555882829-1150066312-2899166347-2192259596 Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E464 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F2774D-9E88-448C-8BC4-CDAC0C3AAB82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:29:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B263 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234537 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234537 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234537 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23201E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23201E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23201E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x23023E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49615 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x23023E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CF76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CF76 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CF76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CDD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CDD8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22CDD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B071 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AEE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B263 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B263 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B1F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B1F6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B1F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B193 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B193 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B193 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B0D9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B0D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B071 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3582447757-1191561082-558902149-3954376713 Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22B071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D587D08D-C77A-4705-852B-50210900B3EB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AFFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AFFC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AFFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AF9A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AF9A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AF9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AEE2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-189578963-1208448966-2096759988-2587442570 Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22AEE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0B4CBED3-77C6-4807-B404-FA7C8A3D399A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22704F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22704F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22704F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8768 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220243 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220243 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220243 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F167 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F2AF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F2AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F256 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F256 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F256 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F20D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F20D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F20D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F167 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3600728619-1130247338-1629120915-3107451053 Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21F167 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D69EC22B-34AA-435E-9369-1A61ADF037B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:28:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1E0756 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF6D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D47F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9D6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:37 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20B3C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20B3C4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20B3C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:30 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2073B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2073B7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2073B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C80 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:21 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204D37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E85 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E2B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204E2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204DE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204DE2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204DE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204D37 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-715923713-1110011564-3759570074-3596430322 Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x204D37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AAC2101-6EAC-4229-9A7C-16E0F22B5DD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E22 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF4F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF6D3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF6D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF67A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF67A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF67A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF597 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF597 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF597 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF4F2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3247994285-1217800676-2984931758-3273704899 Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF4F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C19875AD-29E4-4896-AE71-EAB1C3C520C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3535 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:27:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE778 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5264 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5264 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5264 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBEEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBEEB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBEEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153336 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7653 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7653 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E7653 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:38 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3068 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3535 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3535 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E339A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E339A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E339A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E329D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E329D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E329D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3068 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1003934559-1217145400-3331302557-3719654332 Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3068 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3BD6D35F-2A38-488C-9DA4-8FC6BC6BB5DD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0B32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0B32 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0B32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:34 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1E0756 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49569 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1E0756 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF731 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF731 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF731 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE42E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE778 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE778 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE6B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE6B4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE6B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE624 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE624 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE624 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE42E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2181257832-1173734373-2279183800-556409910 Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DE42E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82035A68-C3E5-45F5-B895-D98736242A21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1A2A74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F0DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB993 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB993 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB993 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D98CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D98CE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D98CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8601 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8768 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8768 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D870B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D870B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D870B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D86AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D86AF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D86AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8601 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-641167138-1127020838-2109230756-2418961760 Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D8601 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26376F22-F926-432C-A44E-B87D606D2E90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5785 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5785 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D46A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D47F3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D47F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4796 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4796 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D474D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D474D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D474D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D46A8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189544686-1214579412-3548373384-2214549299 Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D46A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8281CCEE-02D4-4865-88E1-7FD33357FF83 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD068 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD053 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD03C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD0B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD027 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:26:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2D3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C89B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C89B7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C89B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4BE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4BE8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4BE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14CA6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1384D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C29E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2D3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2D3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2B76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2B76 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2B76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2AA5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2AA5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2AA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C29E5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1631755367-1111319811-847447707-270068220 Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C29E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61429C67-6503-423D-9B06-8332FCE91810 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:33 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AFF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F297 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4206 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD1F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE0D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACF55 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1ADB1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A4BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD1C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:25:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4206 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4206 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AFAAD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AFAAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AFAAD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF9F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF9F1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF9F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF94B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF94B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF94B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE18A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE1AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE152 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE19A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE172 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE165 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AE144 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE1AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49539 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE19A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49540 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE18A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49538 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE165 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49535 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE172 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49537 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE144 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49534 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49536 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AE0D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8749183C-3345-B53D-4765-EB2A5B057F98} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ADB1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1AD51E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD51E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {75147D81-9608-4CAE-E334-961FFB56B50A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD244 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD244 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD244 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD1F1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-636238245-1309641083-1079395519-2396439990 Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD1F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 25EC39A5-897B-4E0F-BF44-5640B6C5D68E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD1C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD1C5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD0B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD0B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD068 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49541 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD068 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD053 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49541 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD053 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD03C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49541 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD03C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFAA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49541 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD027 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFE0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFCA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD000 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1AD000 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49538 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1AD000 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACF94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACFF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49540 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACFE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49539 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFE0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACFCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49536 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFCA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACFAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49534 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACFB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49537 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFB5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACFAA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACF94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49535 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACF94 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1ACF55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1ACF55 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16B3D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D5CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C4EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194D58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DEEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195ADF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1948D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194A12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F120 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F10B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F0F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CBD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CBB7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CB9B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB37 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110640 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11062B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110614 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11055A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110545 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11052E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110490 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11047B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11045F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110292 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11027D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110266 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE44 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194A4B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F155 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD90 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15D0A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EC14 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD7B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB81 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD64 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110666 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110580 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1104BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1102BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110092 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1A2A74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E482D21-D57E-FEAB-65A5-532A025BCB13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49483 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1A2A74 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A11C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A11C8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A11C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:29 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1954E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19EA34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19EA34 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19EA34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194CA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C4EB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C4EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x197868 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x197868 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x197868 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19756E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19756E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19756E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x197371 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x197371 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x197371 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195BE3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195B7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195B98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195B79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195BBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195BC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x195BA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195BE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49507 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195BC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49508 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195BBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49510 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195BA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49509 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195B98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49506 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195B7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49505 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195B79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49504 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x195ADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {505835F0-46D6-3773-089C-06558A934E1E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49503 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1954E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49503 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x194F73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194F73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {75147D81-9608-4CAE-E334-961FFB56B50A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194E5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194E5A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194E5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194D58 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1750913756-1111965054-110826164-805821351 Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x194D58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 685CD2DC-3D7E-4247-B412-9B06A7DB0730 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194CA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194CA8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194A4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194A4B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194A12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194A12 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1949F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1949D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19499B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19497C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949D0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194924 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1949A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49507 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x19499B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49508 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1949A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19499B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19495F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194931 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x19497C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49510 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19497C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194944 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x19495F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49509 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x19495F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194944 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49506 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194944 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194931 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49504 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x194924 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49505 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194931 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x194924 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1948D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49503 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1948D4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192B75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192B75 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192B75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17EFD2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x18023C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18EFF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18EFF3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18EFF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DDA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DEEF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DEEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE92 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE49 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE49 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DE49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DDA3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3252892934-1336660126-2753588910-899819624 Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18DDA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C1E33506-D09E-4FAB-AE6E-20A46828A235 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x17F9CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:24:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F268 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AFF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AFF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:50 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1838C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1838C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1838C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1833B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1833B6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1833B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18318E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18318E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18318E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x180334 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x180328 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1802EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x18034A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x18031D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x18035E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x180305 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x18035E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49482 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x180328 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49477 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x18034A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49481 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x180334 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49478 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x18031D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49479 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x180305 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49480 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1802EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49476 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x18023C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CEF351F8-1BEF-2155-8535-1CA4A339454F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49475 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F9CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49475 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x17F38B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F38B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {75147D81-9608-4CAE-E334-961FFB56B50A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F2ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F2ED Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F2ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F297 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329739953-1256052086-3894804393-3696269638 Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17F297 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677CCB1-D576-4ADD-A9FF-25E8469950DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F268 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F268 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F155 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F155 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F120 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F120 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F10B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F10B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F0F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F0F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F0DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49483 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F0DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F073 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F03E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F004 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F063 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F081 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F025 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F03D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F081 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49482 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F081 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F073 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49481 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F073 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F063 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49478 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F063 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F03E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49480 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F03D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49479 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F03E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F03D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	892	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:44 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F025 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49477 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F025 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17F004 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49476 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17F004 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x17EFD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49475 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x17EFD2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17159F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178DEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178DEA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178DEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127ACA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172628 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172628 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172628 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171454 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17159F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17159F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171542 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171542 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171542 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1714F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1714F9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1714F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171454 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1451653472-1131335821-3895628944-1638538031 Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x171454 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56867960-D08D-436E-9094-32E82F1BAA61 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:26 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C8D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F085 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15E10C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C9DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C9DA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C9DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15D541 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16B3D8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16B3D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:09 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169826 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169826 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169826 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x168820 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x168820 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x168820 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16836F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16836F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16836F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1680BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1680BE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1680BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F17F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F150 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F11A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F12C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F145 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F10C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15F16B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F17F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49452 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F16B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49451 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F150 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49449 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F145 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49450 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F12C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49448 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F11A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49447 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F10C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49446 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15F085 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C89540D2-CDF4-BAE5-7502-38231B075450} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49445 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:02 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15E10C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49445 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x15D97F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15D97F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {75147D81-9608-4CAE-E334-961FFB56B50A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D63E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D63E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D63E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D5CD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-985127891-1267493583-3535067788-2244928822 Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D5CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AB7DBD3-6ACF-4B8C-8CDA-B4D236E5CE85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15D541 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15D541 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15D0A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15D0A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15CBD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CBD9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15CBB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CBB7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15CB9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CB9B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C98A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CA2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CA10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15CA2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49452 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CA2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15CA10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49451 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15CA10 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C9F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49450 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C9E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49449 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C9C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49448 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9C8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C9AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49447 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C98A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49446 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C9AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C98A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x15C8D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49445 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x15C8D1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:23:00 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BD62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BD62 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BD62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BBF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A4BF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A4BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A462 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A462 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A462 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A2F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A2F0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A2F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A037 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1705075918-1091763492-3367450506-1184325566 Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15A037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65A164CE-FD24-4112-8A37-B7C8BE5F9746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:57 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x14088E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1553B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1553B3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1553B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154804 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154804 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154804 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1531EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153336 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153336 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1532DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1532DD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1532DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153294 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153294 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153294 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1531EE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3810285877-1321189328-3232013970-668976416 Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1531EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E31C5935-BFD0-4EBF-929E-A4C020C5DF27 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x13FD5A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13ECC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14CA6A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14CA6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:43 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EC3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x146327 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x146327 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x146327 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14608A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14608A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14608A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x145E9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x145E9E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x145E9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:40 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x14092C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x14091C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1408EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x140906 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1408FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1408C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1408D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x14092C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49426 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x14091C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49425 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1408FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49422 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x140906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49423 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1408EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49424 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1408D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49421 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1408C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49420 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x14088E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49419 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13FD5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E80D1EC3-629B-6D9A-47F0-547E792AB34A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49419 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:36 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x13EFEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-1105 Account Name: N-H1-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EFEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {75147D81-9608-4CAE-E334-961FFB56B50A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13ECC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A7F0DD93-EA29-4998-5301-B9FE874528DA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13ECC8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EC14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EC14 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EB81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB81 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EB4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB4C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EB37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB37 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EB20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB20 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EB0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49427 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EB0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EAB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EACA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA95 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EAA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EACA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49426 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EACA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EAB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49425 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EAA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49423 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EAB0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EA95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49424 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EAA2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EA87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49422 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA95 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA87 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EA74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49421 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA74 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EA45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.0.75 Source Port: 49420 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA45 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13EA0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49419 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13EA0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:35 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BE82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13848A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1394C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1394C3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1394C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138873 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138873 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138873 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1384D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2314287670-1137681390-3876863387-1976908607 Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1384D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89F13A36-A3EE-43CF-9B3D-14E73F3BD575 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x13848A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2F32DFAA-725F-198D-595E-19D305EB5C3F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h1-760455-3@CBCI-760455-3.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x13848A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:31 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135186 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135186 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135186 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:23 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E613 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EC3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EC3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EBC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EBC7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EBC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E8E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E8E4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E8E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E613 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2316058422-1274813544-1690451878-3739363303 Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E613 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A0C3F36-1C68-4BFC-A63F-C264E727E2DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E52D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E52D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E52D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:22 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CCC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CCC8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CCC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BAE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BE82 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BE82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BD69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BD69 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BD69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BBAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BBAD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BBAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BAE5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-963211591-1231655059-1063994523-1608013563 Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12BAE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 39697147-9093-4969-9B44-6B3FFB56D85F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128A9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128A9B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128A9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12795F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127ACA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127ACA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A71 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A28 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127A28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:12 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12795F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4157418769-1312132239-466895752-1566492926 Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12795F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7CD2D11-8C8F-4E35-8843-D41BFEC85E5D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1FFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124BCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124BCE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124BCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111591 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:22:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CBC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CBC6 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CBC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:59 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FBB7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BAA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BBF0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BBF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB97 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB4E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BAA9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4093186610-1158924714-3980467605-3236484961 Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BAA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3F91232-C9AA-4513-951D-41ED61D7E8C0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FAA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118667 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:54 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118667 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118667 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:54 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1127E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1127E7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1127E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:47 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111445 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111591 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111591 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111538 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111538 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111538 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1114EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1114EB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1114EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111445 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2486093904-1280129154-2037772977-520711746 Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111445 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 942EC850-3882-4C4D-B1F2-7579426E091F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:45 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10DB4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110666 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110666 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110640 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110640 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11062B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11062B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110614 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110614 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110580 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110580 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11055A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11055A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110545 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110545 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11052E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11052E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1104BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1104BF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110490 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110490 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11047B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11047B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11045F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:42 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11045F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1102BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x1102BC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110292 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110292 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x11027D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x11027D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110266 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110266 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110131 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x110092 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x110092 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FE88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49395 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE88 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FE70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE70 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FE5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FE44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FE44 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FD90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD90 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FD7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD7B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FD64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD64 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FD53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FD53 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10FBB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {64C6FB54-2926-D053-2B44-DC53E56851E3} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49390 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10FBB7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x10DB4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {50894736-B0A3-EA94-F700-781C88815852} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.102 Source Port: 49375 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: Administrator Account Domain: CBCI-760455-3 Logon ID: 0x10DB4E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B0D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B0D4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B0D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:24 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF2E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA072 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA072 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFA072 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:21:03 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF46A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF46A7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF46A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:58 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3034 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3034 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3034 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:56 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1FFD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1FFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1EAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1EAD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1EAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D5B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C8F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1244788777-1269643966-158470822-198750681 Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1C8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A31F829-3ABE-4BAD-A612-7209D9B1D80B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:55 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0209 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0209 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0209 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:53 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF17E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF2E0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF2E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF283 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF225 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF225 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF225 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF17E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2539055567-1300324458-3389563061-1408206186 Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF17E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9756E9CF-606A-4D81-B5A0-08CA6A85EF53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:52 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE0F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE50BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE50BC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE50BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF142 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF142 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF142 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:19 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDDD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE0F7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE0F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDFB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDFB2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDFB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDEBB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDEBB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDEBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDDD4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3871675422-1268613288-1206104480-2015653699 Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDDDD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E6C5141E-80A8-4B9D-A0B1-E347436F2478 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:20:15 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xAE8C1 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1004 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:16 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xAE8C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xAE8C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:13 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:13 PM	36296b68-f31c-0005-4c6c-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:18:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:46 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: administrator Account Domain: CBCI-760455-3 Logon ID: 0x6B7BA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: administrator Account Domain: CBCI-760455-3 Logon ID: 0x6B7BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F5E3691B-2F10-E759-8E7B-5181D809E45A} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-760455-3 Logon GUID: {F5E3691B-2F10-E759-8E7B-5181D809E45A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: administrator Account Domain: CBCI-760455-3 Logon ID: 0x540A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2755848929-1458286234-1014139862-500 Account Name: administrator Account Domain: CBCI-760455-3 Logon ID: 0x540A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EC4345A-CAA5-58F0-45B3-648C13FB24A6} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-760455-3 Logon GUID: {1EC4345A-CAA5-58F0-45B3-648C13FB24A6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:17:01 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x4EFA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4EFA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C1C2EE1E-9DEB-73EE-88B5-C100A8C548AD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x4EFA2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon GUID: {609CFC8B-07AB-6AFE-B9CB-D4A7C0B7B88F} Target Server: Target Server Name: n-h2-760455-3$ Additional Information: n-h2-760455-3$ Process Information: Process ID: 0xda0 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x4C9AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x4C9AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F73D4503-6846-C61C-D95E-1E1F0EF758DB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x4C9AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:51 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x40D11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x40D11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7C23ED55-AFAA-6130-DD4E-6B26A08171E5} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x40D11 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon GUID: {0680A8CB-0F3E-A24F-980C-9E27D1C77FC6} Target Server: Target Server Name: n-h2-760455-3$ Additional Information: n-h2-760455-3$ Process Information: Process ID: 0x10cc Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E8F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x3E8F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F73D4503-6846-C61C-D95E-1E1F0EF758DB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E8F1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:41 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2D960 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:39 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x2FE66 Account Modified: Account Name: S-1-5-21-2755848929-1458286234-1014139862-500 Access Granted: Access Right: SeServiceLogonRight	4717	0	0	13569	-9214364837600034816	14389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:32 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:28 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x2FE66 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x2FE66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0003-a26b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b8bee278db186686a8f72a67e18bedf6_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:20 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x2F0C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x2F0C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF8289C1-67D4-AE86-A1A1-CE7BDF95A32A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x2F0C8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon GUID: {A65090FB-FBDF-92D4-2714-17BD8E67B8CC} Target Server: Target Server Name: n-h2-760455-3$ Additional Information: n-h2-760455-3$ Process Information: Process ID: 0xdfc Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x2EA4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x2EA4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF8289C1-67D4-AE86-A1A1-CE7BDF95A32A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x2EA4A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:18 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon GUID: {A65090FB-FBDF-92D4-2714-17BD8E67B8CC} Target Server: Target Server Name: n-h2-760455-3$ Additional Information: n-h2-760455-3$ Process Information: Process ID: 0xcd4 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2D960 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2D960 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xc90 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0002-936b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3	4724	0	0	13824	-9214364837600034816	14368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 1:16:17 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Process Information: Process ID: 0xc90 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Process Information: Process ID: 0xc90 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	928	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:17 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:14 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x26088 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x26088 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A7F4301-7642-EB85-7E96-332D4C5F4372} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x26088 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Domain: Domain Name: N-H2-760455-3 Domain ID: S-1-5-21-2366373026-909230750-2729206779 Changed Attributes: Min. Password Age: ??? Max. Password Age: ??? Force Logoff: - Lockout Threshold: - Lockout Observation Window: - Lockout Duration: - Password Properties: 1 Min. Password Length: 7 Password History Length: 24 Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0	0	13569	-9214364837600034816	14357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:11 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:10 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1BF3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1BF3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A7F4301-7642-EB85-7E96-332D4C5F4372} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1BF3B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2412	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1A926 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0	0	12292	-9214364837600034816	14346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3.LOCAL Logon ID: 0x1A926 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A7F4301-7642-EB85-7E96-332D4C5F4372} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x1A926 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2348	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:08 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x17AEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x161FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2400	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2400	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0005-876b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4d8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2408	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	2416	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:07 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0	0	12292	-9214364837600034816	14323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	936	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	936	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x63c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:06 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x438 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?01?-?25T13:16:05.732882600Z New Time: ?2021?-?01?-?25T13:16:05.935000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	14306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	936	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	936	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBE78 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0	0	12548	-9214364837600034816	14299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBE64 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBE78 Linked Logon ID: 0xBE64 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2f4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBE64 Linked Logon ID: 0xBE78 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2f4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2f4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:05 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	940	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: CBCI-760455-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x340 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	884	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:04 PM	36296b68-f31c-0004-6c6b-29361cf3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x66D3	4902	0	0	13568	-9214364837600034816	14290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	896	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	852	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0	0	12288	-9214364837600034816	14288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	848	852	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x340 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	520	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	520	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	520	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:16:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:15:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:15:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	14277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:15:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0	0	13573	-9214364837600034816	14276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3.cbci-760455-3.local	1/25/2021 1:15:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x59c Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?01?-?25T13:15:40.199739900Z New Time: ?2021?-?01?-?25T13:15:40.174000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	14275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	3788	n-h2-760455-3	1/25/2021 1:15:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0	4	103	4620693217682128896	14274	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1428	3720	n-h2-760455-3	1/25/2021 1:15:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	924	n-h2-760455-3	1/25/2021 1:15:37 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Member: Security ID: S-1-5-21-2755848929-1458286234-1014139862-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -	4732	0	0	13826	-9214364837600034816	14272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Member: Security ID: S-1-5-21-2755848929-1458286234-1014139862-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0	0	13826	-9214364837600034816	14271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2396	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: LDAP/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.35 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {84776A9F-EB04-8D49-25D1-E09845993CC8} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: ldap/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-760455-3.LOCAL Logon GUID: {84776A9F-EB04-8D49-25D1-E09845993CC8} Target Server: Target Server Name: n-ad-760455-3.cbci-760455-3.local Additional Information: cifs/n-ad-760455-3.cbci-760455-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.35 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:15:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x11a8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	5052	n-h2-760455-3	1/25/2021 1:15:12 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:03:40 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 1:03:40 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:53:49 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x52288A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:53:49 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:53:49 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:53:49 PM	82fdee50-f316-0004-9307-fe8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F8F8D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:41 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F8F8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:41 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:41 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:41 PM	82fdee50-f316-0002-4d06-fe8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F78D2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:38 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F78D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:38 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:38 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:38 PM	82fdee50-f316-0004-f206-fe8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F1A97 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4F1A97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:33 PM	82fdee50-f316-0002-1506-fe8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:24 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:24 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4DCAF5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:23 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x4DCAF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:23 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:23 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:52:23 PM	82fdee50-f316-0002-ef05-fe8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:15 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:52:15 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:51:49 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:51:49 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:51:42 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:51:42 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:42:02 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:42:02 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD823C User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xee8 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0	0	13824	-9214364837600034816	14228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:41:52 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD823C User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0x1388 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0	0	13824	-9214364837600034816	14227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:41:50 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD823C User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xcd0 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0	0	13824	-9214364837600034816	14226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:41:50 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:38:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:38:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:38:26 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:38:26 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD823C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD823C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0005-fdf1-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD7561 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD7561 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:55 PM	82fdee50-f316-0004-97f0-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD26B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:50 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xD26B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:50 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:50 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:50 PM	82fdee50-f316-0005-e8f1-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xCEDF7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0xCEDF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:47 PM	82fdee50-f316-0005-e4f1-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Write persisted key to file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016	5061	0	0	12290	-9218868437227405312	14198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:37:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3	4724	0	0	13824	-9214364837600034816	14191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:06 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 12:37:06 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:06 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3 Process Information: Process ID: 0x39c Process Name: C:\Windows\System32\net1.exe	4798	0	0	13824	-9214364837600034816	14189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:37:06 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x88c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:36:54 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x86D33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:33 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:33 PM	82fdee50-f316-0005-7fef-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x84D82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x84D82 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x84D82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:31 PM	82fdee50-f316-0005-7def-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 5a1a2962-c864-474e-adfe-456c85651084 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b8bee278db186686a8f72a67e18bedf6_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:36:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3	4724	0	0	13824	-9214364837600034816	14175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:28 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 12:36:28 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:28 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:28 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:28 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:28 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:23 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:23 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:22 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Member: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0	0	13826	-9214364837600034816	14167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:20 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x6E4BD Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:20 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Logon ID: 0x6E4BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:16 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xe44 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:16 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:16 PM	82fdee50-f316-0005-49ef-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3	4724	0	0	13824	-9214364837600034816	14161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:11 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 12:36:11 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:11 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3	4722	0	0	13824	-9214364837600034816	14159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:11 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 New Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: Admin Account Domain: N-H2-760455-3 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -	4720	0	0	13824	-9214364837600034816	14158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:11 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Member: Security ID: S-1-5-21-2366373026-909230750-2729206779-1001 Account Name: - Group: Security ID: S-1-5-21-2366373026-909230750-2729206779-513 Group Name: None Group Domain: N-H2-760455-3 Additional Information: Privileges: -	4728	0	0	13826	-9214364837600034816	14157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:36:11 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x54DD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xf38 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0003-a0ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H2-760455-3 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x22c Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4625	0	0	12544	-9218868437227405312	14153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3	4724	0	0	13824	-9214364837600034816	14152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 12:35:47 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Process Information: Process ID: 0xf38 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Process Information: Process ID: 0xf38 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:47 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3 Process Information: Process ID: 0xfa4 Process Name: C:\Windows\System32\LogonUI.exe	4798	0	0	13824	-9214364837600034816	14148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:46 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:43 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:43 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:41 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:38 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:38 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:37 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:37 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:36 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:36 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e41eb1ad-1e05-40b3-b076-da60f8032d26 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:35 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon ID: 0x2B999 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H2-760455-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H2-760455-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:34 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H2-760455-3 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:34 PM	82fdee50-f316-0002-82ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:32 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0	0	12292	-9214364837600034816	14119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x213D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:31 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0	0	12292	-9214364837600034816	14106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x22c Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:30 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7e8 Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x594 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?01?-?25T12:35:29.779385300Z New Time: ?2021?-?01?-?25T12:35:29.305000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	14089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1288	n-h2-760455-3	1/25/2021 12:35:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x57c Process Information: Process ID: 0x510 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0	0	13568	-9214364837600034816	14086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:29 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-2366373026-909230750-2729206779-513 Group Name: None Group Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -	4737	0	0	13826	-9214364837600034816	14081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-513 Account Domain: N-H2-760455-3 Old Account Name: None New Account Name: None Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-2366373026-909230750-2729206779-513 Group Name: None Group Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4737	0	0	13826	-9214364837600034816	14079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-503 Account Name: DefaultAccount Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-503 Account Name: DefaultAccount Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-501 Account Name: Guest Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-501 Account Name: Guest Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-500 Account Name: Administrator Account Domain: N-H2-760455-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	852	n-h2-760455-3	1/25/2021 12:35:27 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:15 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:15 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB539 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0	0	12548	-9214364837600034816	13992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB525 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB539 Linked Logon ID: 0xB525 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB525 Linked Logon ID: 0xB539 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	13988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	896	n-h2-760455-3	1/25/2021 12:35:14 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:13 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	900	n-h2-760455-3	1/25/2021 12:35:13 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:13 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H2-760455-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	n-h2-760455-3	1/25/2021 12:35:13 PM	82fdee50-f316-0000-55ee-fd8216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6166	4902	0	0	13568	-9214364837600034816	13983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	864	n-h2-760455-3	1/25/2021 12:35:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h2-760455-3	1/25/2021 12:35:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0	0	12288	-9214364837600034816	13981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h2-760455-3	1/25/2021 12:35:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h2-760455-3	1/25/2021 12:35:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h2-760455-3	1/25/2021 12:35:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	228	n-h2-760455-3	1/25/2021 12:35:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0	0	13573	-9214364837600034816	13969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h2-760455-3	1/25/2021 12:35:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5ec Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?01?-?25T12:34:52.498838100Z New Time: ?2021?-?01?-?25T12:34:52.475000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	WIN-5T344G8GM1H	1/25/2021 12:34:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0	4	103	4620693217682128896	13967	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1316	1560	WIN-5T344G8GM1H	1/25/2021 12:34:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:46 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:46 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H	4724	0	0	13824	-9214364837600034816	13964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:26 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/25/2021 12:34:26 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:26 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0x4d8 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	13962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:26 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2366373026-909230750-2729206779-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0x4d8 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	13961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:34:26 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3e4 Process Information: Process ID: 0x4a4 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0	0	13568	-9214364837600034816	13960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	1/25/2021 12:33:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:32 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:32 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0	0	12292	-9214364837600034816	13957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x6271B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:29 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0	0	12292	-9214364837600034816	13945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	596	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:28 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x524 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?01?-?25T12:33:28.041380300Z New Time: ?2021?-?01?-?25T12:33:27.790000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H	1/25/2021 12:33:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:27 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	1/25/2021 12:33:27 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:27 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:27 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:19 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:19 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x579F4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0	0	12548	-9214364837600034816	13931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x579E2 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x579F4 Linked Logon ID: 0x579E2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x579E2 Linked Logon ID: 0x579F4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	13927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	1/25/2021 12:33:18 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:17 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	916	WIN-5T344G8GM1H	1/25/2021 12:33:17 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	860	WIN-5T344G8GM1H	1/25/2021 12:33:17 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	860	WIN-5T344G8GM1H	1/25/2021 12:33:17 PM	322d8a24-f316-0005-288a-2d3216f3d601	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x4FFD7	4902	0	0	13568	-9214364837600034816	13918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	876	WIN-5T344G8GM1H	1/25/2021 12:33:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	832	WIN-5T344G8GM1H	1/25/2021 12:33:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0	0	12288	-9214364837600034816	13916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	832	WIN-5T344G8GM1H	1/25/2021 12:33:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x33c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H	1/25/2021 12:33:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H	1/25/2021 12:33:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x260 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H	1/25/2021 12:33:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H	1/25/2021 12:32:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	WIN-5T344G8GM1H	1/25/2021 12:32:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	1/25/2021 12:32:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	1/25/2021 12:32:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0	0	13573	-9214364837600034816	13903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	1/25/2021 12:32:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1980	WIN-5T344G8GM1H	1/19/2018 9:48:13 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0	4	103	4620693217682128896	13901	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1144	WIN-5T344G8GM1H	1/19/2018 9:48:13 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.	4647	0	0	12545	-9214364837600034816	13900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:48:12 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H	1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H	1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H	1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H	1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0	0	13569	-9214364837600034816	13895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H	4724	0	0	13824	-9214364837600034816	13893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0	0	13569	-9214364837600034816	13891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe	4798	0	0	13824	-9214364837600034816	13890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E3	1102	0	4	104	4620693217682128896	13887	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1136	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Log clear	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]