Message	Id	Version	Qualifiers	Level	Task	Opcode	Keywords	RecordId	ProviderName	ProviderId	LogName	ProcessId	ThreadId	MachineName	UserId	TimeCreated	ActivityId	RelatedActivityId	ContainerLog	MatchedQueryIds	Bookmark	LevelDisplayName	OpcodeDisplayName	TaskDisplayName	KeywordsDisplayNames	Properties
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x47348F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x47348F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51386 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:21 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x47348F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:21 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:07 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:07 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x25467 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x93c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	16216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:06 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	16215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:02 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d72e6b5ebf45808ddbe097924a892667_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	16214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:56:02 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x450695 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:54:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x450695 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51364 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:54:20 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x450695 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:54:20 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x44A305 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:52:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x44A305 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51350 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:52:19 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x44A305 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:52:19 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x443F87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:50:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x443F87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51342 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:50:18 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x443F87 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:50:18 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x43DD3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:49:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x43DD3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51334 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:48:17 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x43DD3D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:48:17 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x43710B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:47:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x43710B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51321 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:46:16 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x43710B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:46:16 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x430E5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:44:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x430E5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51306 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:44:15 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x430E5E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:44:15 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x42A124 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:43:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x42A124 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51288 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:42:14 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x42A124 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:42:14 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x423CE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:41:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x423CE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51278 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:40:13 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x423CE9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:40:13 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x41D77D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:38:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x41D77D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51270 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:38:12 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x41D77D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:38:12 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x416B38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:37:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x416B38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51264 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:36:11 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x416B38 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:36:11 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x4105DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:35:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x4105DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:34:10 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x4105DE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:34:10 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x40A0DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:32:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x40A0DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51242 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:32:09 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x40A0DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:32:09 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x403A56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:31:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x403A56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51227 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:30:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x403A56 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:30:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3FD412 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:29:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3FD412 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51193 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:28:07 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3FD412 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:28:07 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:27:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F48C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F48C8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:59 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F48C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:59 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:59 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1A44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1A44 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F1A44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0B0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C68 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0C0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0BBF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0BBF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0BBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0B0E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1978676135-1076913867-1841961406-545075657 Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F0B0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75F033A7-66CB-4030-BE19-CA6DC9317D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:53 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3ECCF1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3ECCF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51179 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:06 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3ECCF1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:26:06 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3E696D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:25:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3E696D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51149 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:24:05 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3E696D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:24:05 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3E0743 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:23:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3E0743 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51136 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:22:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3E0743 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:22:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3DA4FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:20:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3DA4FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:20:03 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3DA4FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:20:03 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3D4281 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:19:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3D4281 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51109 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:18:02 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3D4281 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:18:02 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3CDD6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:17:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3CDD6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51103 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:16:01 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3CDD6C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	1908	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:16:01 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF923 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:15:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C3351 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C3351 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:32 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C3351 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:32 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:32 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B4B17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C0647 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C0647 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C0647 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF7D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF923 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF923 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF8C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF8C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF8C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF87D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF87D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF87D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF7D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1055148346-1252409260-2098048663-2592166757 Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF7D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3EE4493A-3FAC-4AA6-97AE-0D7D6553819A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:26 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5D61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B630D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B82E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B82E7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:09 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B82E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:09 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:09 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7079 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7079 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7079 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B61C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B630D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B630D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B62B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B62B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B62B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B626B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B626B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B626B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B61C5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2440063845-1248321875-3351837872-1757272184 Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B61C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91706B65-E153-4A67-B0FC-C8C778D8BD68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:08 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DB8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 51080 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 51081 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DC0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 51079 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5DB8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4756	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5D61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 51078 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B5D61 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:04 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3B4B17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51076 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:00 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3B4B17 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:14:00 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3AD32C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:13:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3AD32C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51062 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:11:59 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3AD32C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:11:59 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3A6AF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:11:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3A6AF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51059 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:09:58 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3A6AF9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:09:58 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3A0AA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:08:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3A0AA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51046 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:07:57 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3A0AA9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:07:57 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x39A6AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:07:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x39A6AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51033 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:05:56 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x39A6AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:05:56 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x393EC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:05:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x393EC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51021 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:55 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x393EC2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:55 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38C3AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38C3AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:03 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38C3AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:03 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:03:03 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3889CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3889CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:57 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3889CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:57 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:57 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385C14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D73 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D16 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385D16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385CCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385CCC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385CCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385C14 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4129684787-1255814783-4107767997-621567238 Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385C14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F625FD33-367F-4ADA-BD90-D7F4065D0C25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:51 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x381F42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:02:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x381F42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 51013 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:01:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x381F42 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:01:54 PM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F558 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:01:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x376DA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 12:01:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x376DA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50976 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x376DA4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3750D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:42 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3750D3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3750D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3720E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3720E9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3720E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3686A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F3FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F558 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F558 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4B5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F4B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F3FD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2255275986-1165144230-282733220-3101753902 Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F3FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 866CC7D2-B0A6-4572-A42A-DA102E02E1B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:59:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3686A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50959 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:57:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3686A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:57:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x359810 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:56:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:56:04 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x359810 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50952 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x359810 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3581D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3581D3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3581D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35534D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35534D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35534D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340C49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35443D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35455A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35455A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35455A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35443D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3576934377-1076355026-1284417412-2874174306 Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35443D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D533AFE9-DFD2-4027-84A7-8E4C626B50AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3395DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:55:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B046 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x341B4B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	4012	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340AC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x341557 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:38 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349B41 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:38 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340D83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:38 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340D17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349B41 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x349B41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x345AE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x345AE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x345AE6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345763 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345763 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345763 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345244 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345244 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345244 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x341C01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x341C26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x341C16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x341C26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {62FA1BBF-5147-7E99-BFE8-8D6E1EE2327E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50929 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x341C16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {62FA1BBF-5147-7E99-BFE8-8D6E1EE2327E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50930 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x341C01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {62FA1BBF-5147-7E99-BFE8-8D6E1EE2327E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50928 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x341B4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {62FA1BBF-5147-7E99-BFE8-8D6E1EE2327E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50927 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x341557 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50927 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x340E42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340E42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340DDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340DDA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340DDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340D83 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2123398589-1301346999-4289503395-2561565961 Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x340D83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E907DBD-FAB7-4D90-A3A0-ACFF0965AE98 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340D17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340D17 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340C49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50933 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340C49 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50932 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B94 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50932 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50932 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B68 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50932 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B57 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50919 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B3F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340AF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50929 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340B0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50930 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340B0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340AF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50928 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340AF4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x340AC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50927 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x340AC9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:28 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ECC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ECC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ECC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BD85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BD85 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BD85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AEFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B046 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFA4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AFA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AEFE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-443753182-1169803732-2782133437-2488608336 Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AEFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7322DE-C9D4-45B9-BDFC-D3A550265594 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:54:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3395DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50919 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3395DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319587 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329E47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:37 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D993 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D993 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32D993 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32ABAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32ABAE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32ABAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329D00 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329E47 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329E47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DEE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DEE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DA5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DA5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329DA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329D00 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3465064374-1214866898-3427970484-285715143 Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329D00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE88AFB6-65D2-4869-B4AD-52CCC7AA0711 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:53:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F356 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:23 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321B93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321B93 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321B93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32089D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32089D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32089D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F915 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA5D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA04 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FA04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F9BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F9BB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F9BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F915 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4269705567-1130539338-1627155339-1229302111 Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F915 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE7E895F-A94A-4362-8B6B-FC605FA94549 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F3B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50888 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F3B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50886 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F3B0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50887 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F39C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F356 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50885 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x31F356 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D9BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:08 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D9BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D9BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3181C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A2BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A2BA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A2BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:52:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319440 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319587 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319587 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31952E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31952E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31952E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3194E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3194E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3194E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319440 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2205174669-1114186549-2023011502-3991769684 Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319440 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 83704B8D-2335-4269-AEB4-94785492EDED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3181C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50882 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x3181C4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D61F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:21 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x310C81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x310C81 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x310C81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E36F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E36F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E36F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D4D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D61F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D61F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D5C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D5C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D5C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D57D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D57D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D57D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D4D7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469776001-1123289346-3569855932-2120098514 Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30D4D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CED09481-0902-42F4-BCAD-C7D4D2225E7E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:51:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F74C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F6D3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300EAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300EAF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300EAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5BC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:08 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE064 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE064 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE064 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD1B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2FE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD2A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD25C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD25C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD25C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD1B7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3469714236-1103807557-2497539518-2612914828 Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FD1B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CECFA33C-C445-41CA-BE6D-DD948CEABD9B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:50:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F95B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F95B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F95B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F828C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F828C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F828C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7368 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F74C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F74C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7470 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7470 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7470 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7427 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7427 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7427 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7368 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-582579148-1270567527-1505585031-3910002536 Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7368 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 22B973CC-5267-4BBB-8767-BD5968E70DE9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2F6D3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50863 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F6D3F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50861 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	3780	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50862 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C2D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50860 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5C1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5BC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50859 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2F5BC1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2EE62C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:49:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2EE62C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50845 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:47:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2EE62C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:47:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2E6D6A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:46:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2E6D6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50829 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:45:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2E6D6A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:45:46 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2E0515 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:44:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2E0515 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50811 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:43:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2E0515 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:43:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2D864D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:43:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2D864D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50791 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:41:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2D864D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:41:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2D1888 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:40:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2D1888 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50761 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:39:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2D1888 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:39:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2CB2EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:38:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2CB2EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50728 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:37:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2CB2EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:37:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2C48EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:37:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2C48EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50658 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:35:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2C48EE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:35:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2BD17C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:34:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2BD17C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50597 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:33:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2BD17C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:33:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2B6243 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:32:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2B6243 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50525 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:31:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2B6243 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:31:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2AF620 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:31:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2AF620 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50484 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:29:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2AF620 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:29:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2A9312 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2A9312 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {366FC6E2-527D-4D17-90CE-799FF193AA66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2A9312 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon GUID: {32BAA792-E3A5-C7D3-FA2A-E7680C86B275} Target Server: Target Server Name: n-h1-801714-3$ Additional Information: n-h1-801714-3$ Process Information: Process ID: 0x13a8 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2A6F71 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2A6F71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9BEA32F6-7431-B136-614A-016EC948210D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2A6F71 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6D33 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6D33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6A84 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6A84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6709 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6709 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6709 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6624 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A6624 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	15646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	15645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A384E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:28:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A36D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2A384E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50404 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:37 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A384E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:37 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3732 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A371E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3721 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3732 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50399 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3721 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50398 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3732 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A3721 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A371E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50397 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A371E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A36D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50396 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x2A36D9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:27:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x27FB31 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D7B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:24 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291E6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293C2C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293C2C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293C2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292C1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292C1A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x292C1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2918DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291E6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291E6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291C6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291C6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291C6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291B3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291B3D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291B3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2918DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1428896241-1117947588-4055098291-1536151351 Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2918DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 552B39F1-86C4-42A2-B3E3-B3F137CF8F5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291144 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291144 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x291144 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2902B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903FA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903A1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2903A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290358 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290358 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290358 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2902B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896766982-1083376643-2638693282-698821521 Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2902B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35739406-0403-4093-A243-479D912BA729 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E36C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E36C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E36C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D824 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D824 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50338 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D824 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50336 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50337 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D80F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D7B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50335 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x28D7B5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:26:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28AD36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28AD36 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28AD36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289E21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289F68 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289F68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289F0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289F0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289F0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289EC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289EC6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289EC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289E21 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3315855969-1219528231-3342770073-2867428698 Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289E21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C5A3F261-8627-48B0-999F-3EC75A7DE9AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FF17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x283A01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x283A01 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x283A01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x280BF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x280BF3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x280BF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FDD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FF17 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FF17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FEBE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FEBE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FEBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FE75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FE75 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FE75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FDD0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1904712230-1193562268-1709115306-4190586190 Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27FDD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71879A26-509C-4724-AA07-DF654E45C7F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:38 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x27FB31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50334 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x27FB31 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B099 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:26 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2689AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27507F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27507F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:22 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27507F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:22 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:22 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272E6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272E6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272E6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F4CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F4CC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26F4CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26BDC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26BDC1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26BDC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AF4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B099 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B099 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B03C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B03C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26B03C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AFF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AFF3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AFF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AF4E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2835600731-1287977313-3373287578-1633825657 Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26AF4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A903D55B-F961-4CC4-9A48-10C979336261 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2697F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2697F5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2697F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268859 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2689AF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2689AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268956 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268956 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268956 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268906 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268906 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268859 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827690919-1139176498-1567611312-2788258840 Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268859 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E425EDA7-7432-43E6-B0D9-6F5D187431A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:07 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D075 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:04 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x22F1A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:25:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F0C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236EAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208881 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2566A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2566A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2566A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252347 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252347 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252347 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238E0D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:37 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248591 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:26 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248591 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:26 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248591 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:26 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:26 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2423C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2423C3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2423C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240ACD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240ACD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240ACD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E907 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F0C2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F0C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EE12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EE12 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EE12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EC5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EC5E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EC5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E907 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2363160842-1188196389-3229458342-2185150213 Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E907 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CDAF90A-7025-46D2-A69F-7DC005BF3E82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E41F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E41F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E41F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239BB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239BB1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239BB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238CB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238E0D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238E0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DB4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238D66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238D66 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238D66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238CB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1139458627-1292903079-2053917831-3242587023 Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238CB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43EAC243-22A7-4D10-874C-6C7A8FF345C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:24:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237DD2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237DD2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237DD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236AF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236EAF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236EAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236D35 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236D35 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236D35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236CD2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236CD2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236CD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236AF1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-404745036-1196692722-154873732-1453005692 Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x236AF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 181FEB4C-14F2-4754-842F-3B097C1B9B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7B30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F951 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F951 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22F951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x22F1A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50294 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x22F1A3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B40B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6498 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212BCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:26 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220D7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220D7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x220D7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E266 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E266 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E266 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21CE50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21CE50 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21CE50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BE40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C003 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C003 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFAA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BF61 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BF61 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BF61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BE40 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2847522527-1269418462-181745584-3132213773 Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BE40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9B9BEDF-C9DE-4BA9-B037-D50A0DCAB1BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50288 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50289 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50287 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B6DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B40B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801714-3 Source Network Address: 10.222.0.10 Source Port: 50286 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x21B40B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x215A2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:05 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x215A2B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x215A2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213B5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213B5B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213B5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2128B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212BCE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212BCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B36 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2129FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2129FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2129FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2128B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999401509-1083132885-4054573452-1769617513 Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2128B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772C7225-4BD5-408F-8CE1-ABF169387A69 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:23:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20F845 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20F845 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20F845 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20DED2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20DED2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20DED2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CF2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D075 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D075 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D01C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D01C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20D01C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CFD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CFD3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CFD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CF2E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3488612712-1162807281-1793603463-3992379520 Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20CF2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFF00168-07F1-454F-8737-E86A80E0F6ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2095C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2095C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2095C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208729 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208881 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208881 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208828 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208828 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208828 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2087DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2087DF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2087DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208729 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3618593380-1305517052-2443060630-4066323061 Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208729 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D7AF5A64-9BFC-4DD0-9625-9E91752A5FF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4D32 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4D02 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4CE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4CCF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4E7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD61F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A9EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16885B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:14 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5B8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5B8B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5B8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BFC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ED46F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:04 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ED46F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ED46F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBE50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBE50 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EBE50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1D09AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195CFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163112 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:22:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA9E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DBC3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DBC3F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DBC3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D939E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D939E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D939E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D71CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7B30 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7B30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7949 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7949 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7949 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D756E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D756E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D756E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D71CE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4010192498-1338311604-1077493684-2060019489 Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D71CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF06AE72-03B4-4FC5-B43F-39402167C97A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5FF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6498 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D62CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D62CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D62CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D616A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D616A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D616A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5FF7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3820289227-1321022705-1000875181-2126893872 Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5FF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E3B4FCCB-34F1-4EBD-AD24-A83B30D3C57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CB251 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C25ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0F0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0F0B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0F0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:36 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1D09AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B0498AC0-609B-DF67-5889-07243A7A8E48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50213 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:34 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1D09AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:34 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B06 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:34 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1C542D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4F5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:21 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CB251 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CB251 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C62F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C62F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C62F9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C606E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C606E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C606E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C5EF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C5EF4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C5EF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C542D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50227 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1C4FD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4FD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4F5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4F5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4E7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50232 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4E7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4D32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50231 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4D32 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4D02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50231 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4D02 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4CE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50231 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4CE6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4CCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50231 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4CCF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B36 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B48 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4B5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50230 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B5C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4B36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50228 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4B48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50229 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B48 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B36 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C4B06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50227 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C4B06 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:18 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C25AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195DB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2676 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2676 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C2676 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C25ED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1908529638-1096690251-3036986041-2218994918 Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C25ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71C1D9E6-2A4B-415E-B9BA-04B5E62C4384 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C25AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0571EC9D-ACD4-7626-96CB-5CC9F8D6DF9C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-801714-3@CBCI-801714-3.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1C25AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135E1C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118C84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:14 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147C62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCBD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCBD8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCBD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B7933 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:08 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B7933 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B7933 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:08 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AA6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:04 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AFFF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AFFF7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AFFF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD61F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD61F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD5C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD5C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD5C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD574 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD574 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD574 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4C0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2918479191-1248908805-2134139046-4259896932 Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ADF47557-D605-4A70-A660-347F64DEE8FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC1A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC1A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC1A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165B19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA591 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA9E9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA9E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:21:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA848 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA848 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA848 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA7EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA7EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA7EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA591 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3460871372-1263966142-842627259-731752620 Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AA591 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE48B4CC-97BE-4B56-BB78-3932ACA89D2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C25C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190AE3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1965BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A2E78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:53 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A2E78 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A2E78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19E3E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19E3E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19E3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1960DC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C25C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19C25C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x197154 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x197154 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x197154 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196F7F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196F7F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196F7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196E6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196E6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196E6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1965BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50209 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x196108 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x196108 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1960DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1960DC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195DB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50215 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195DB4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195D62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50214 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D62 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195D4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50214 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D4A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195D23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50214 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D23 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195D11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50214 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195D11 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195CFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50213 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195CFA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195ABA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A9D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195ABA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50212 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195ABA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195A9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50210 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A9D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195A98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x195A1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50209 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x195A1F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1835C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:46 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x190AB1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190D04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190D04 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190D04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190AE3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4033414771-1076748614-4274378114-3249367584 Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190AE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0690673-E146-402D-82D5-C5FE206AADC1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x190AB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CB0F1D76-6D0B-2FFF-E935-BCF65C883286} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-801714-3@CBCI-801714-3.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x190AB1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18CE66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:42 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18CE66 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18CE66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:42 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C6CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C6CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C6CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AD09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE18 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AE18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18ADC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18ADC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18ADC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AD09 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1311495807-1117211267-2766662016-2606305762 Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18AD09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E2BD67F-4A83-4297-80E9-E7A4E211599B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:40 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18554D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18554D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18554D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1831EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1835C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1835C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183570 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183570 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183570 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1834BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1834BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1834BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1831EE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1154659542-1101694707-3743964861-3328287723 Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1831EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44D2B4D6-86F3-41AA-BD5E-28DFEBA361C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182835 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182835 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127872 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CED0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CED0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17CED0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BE64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BFC3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BFC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF1C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF1C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BF1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BE64 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2952894134-1196635603-3277178535-1086090177 Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17BE64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B00196B6-35D3-4753-A7C6-55C3C16BBC40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17810F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:05 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17810F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17810F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175CE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175CE8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175CE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17380F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17380F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17380F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:20:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E45E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E45E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E45E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BD60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BD60 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BD60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169FF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A9EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A9EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A6BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A6BF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A6BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A3DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A3DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A3DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169FF0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3690330058-1295659423-3075288225-2385823479 Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169FF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DBF5F7CA-319F-4D3A-A12C-4DB7F7C6348E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169B6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169B6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169B6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168475 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16885B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16885B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1687D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1687D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1687D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16868F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16868F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16868F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168475 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472040595-1092316396-3280296090-3462935530 Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168475 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEF32293-6CEC-411B-9A58-85C3EA3368CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x166B89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x166B89 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x166B89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1659CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165B19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165B19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165ABB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165ABB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165ABB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165A72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165A72 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x165A72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1659CC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3075763852-1261098080-1775163319-3601703259 Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1659CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B7546E8C-D460-4B2A-B7D7-CE695BA1ADD6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:52 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x164694 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x164694 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x164694 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162FC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163112 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163112 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1630B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1630B9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1630B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163070 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163070 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x163070 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162FC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1403242773-1124626534-3127388832-2188550575 Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162FC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 53A3C915-7066-4308-A02A-68BAAFA17282 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1283C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:46 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x153146 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x153123 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1530B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15296A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15292C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152903 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1524BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152498 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15238D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151900 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1518E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1518C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15108D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1532DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151015 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1529B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127C00 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151CA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x150FC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152667 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127BEB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1510C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127B53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127C55 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127B20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BC3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BC3D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15BC3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:41 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD497 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158E24 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158E24 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158E24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127673 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x12A8B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1532DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1532DA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x153146 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x153146 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x153123 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x153123 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1530B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1530B4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1529B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1529B6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x15296A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15296A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x15292C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15292C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x152877 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x152877 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x152877 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x152903 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152903 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x152667 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152667 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1524BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1524BC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x152498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x152498 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x15238D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15238D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:17 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x151CA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151CA4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x151900 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151900 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1518E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1518E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1518C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1518C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1510C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1510C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x15108D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x15108D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x151015 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x151015 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x150FC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x150FC5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1295D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:15 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B80F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B80F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B80F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14AFF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14AFF6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14AFF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100955 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x149B6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x149B6D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x149B6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147C62 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147C62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147AB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147AB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147AB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14793E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14793E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14793E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475DA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3759580666-1263268426-58342051-1462219713 Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E016A5FA-F24A-4B4B-A33A-7A03C1B32757 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x144E73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:09 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x144E73 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x144E73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:09 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112B11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1282BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:05 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135E1C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135E1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x12F87E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x12F87E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x12F87E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F6A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F6A4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F6A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F3D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F3D0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F3D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12D09D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12D09D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12D09D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE47 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AA6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AA6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x12A9DC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x12AA01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x12AA1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x12AA1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EE4A78ED-9394-7954-2C42-358FB471A9F1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50140 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x12AA01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EE4A78ED-9394-7954-2C42-358FB471A9F1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50138 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A87E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x12A9DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EE4A78ED-9394-7954-2C42-358FB471A9F1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50139 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A87E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A87E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x12A8B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EE4A78ED-9394-7954-2C42-358FB471A9F1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50137 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A74E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A74E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A74E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A283 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3757520853-1093588118-1301219251-144877586 Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DFF737D5-D496-412E-B307-8F4D12A8A208 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:19:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1295D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50137 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127FAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1283C7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1283C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x128400 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-1106 Account Name: N-H2-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x128400 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD9EB19B-90C2-008A-6BF7-1C715D94A3C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128251 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128251 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128251 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1282BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1282BD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12819A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12819A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12819A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127FAF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1863850400-1133439736-3680801705-2197130256 Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127FAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F1819A0-EAF8-438E-A993-64DB108CF582 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127C55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127C55 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127C00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127C00 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127BEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127BEB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127B53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127B53 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127B20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50144 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127B20 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127872 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A51E681A-7CFE-4BB7-5ABC-2F137202C925} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50142 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127872 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1276E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50138 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276E3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1276BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50140 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1276B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50139 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x1276B5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x127673 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50137 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:58 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x127673 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:58 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124820 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124820 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124820 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11C9EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11C9EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11C9EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:56 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x118BD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118E19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118E19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118E19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118C84 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-521920958-1080973697-1675988150-2266689489 Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x118C84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1BE1BE-5981-406E-B68C-E563D1EF1A87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x118BD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B3382D37-A333-4980-105B-ADE74498382C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-801714-3@CBCI-801714-3.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0x118BD1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:55 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x113E14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x113E14 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x113E14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112961 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112B11 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112B11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112AAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112AAA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112AAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112A5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112A5A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112A5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112961 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696580640-1154615607-2505383347-4182651020 Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x112961 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 651FC420-0937-44D2-B31D-55958C304EF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:51 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1067F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:37 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1067F7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:37 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1067F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:37 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:37 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102D74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102D74 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102D74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:31 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10172B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10172B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10172B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:30 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100807 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100955 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008AC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1008AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100807 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422719899-1280581485-185362317-1898504046 Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100807 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CC028F9B-1F6D-4C54-8D67-0C0B6EDF2871 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:29 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE3A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE3A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE3A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD345 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD497 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD497 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD43E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD43E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD43E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD3F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD3F5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD3F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD345 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3329728705-1223273626-1164514457-423248606 Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD345 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C677A0C1-AC9A-48E9-9914-6945DE423A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xF35F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:24 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEACB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:23 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8A7B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8A7B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8A7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5146 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0xF35F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xF35F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8682 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:18:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1720 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1720 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF1720 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:57 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xED01A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xED01A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xED01A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xD6E3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB9DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB9DF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB9DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:50 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAA83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEACB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEACB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAC54 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAC54 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAC54 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAB9F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAB9F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAB9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAA83 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983217995-1306269718-249842618-1762728853 Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAA83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7635814B-1816-4DDC-BA4B-E40E951B1169 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:49 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9293 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:47 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9293 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9293 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:47 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9955 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6119 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6119 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6119 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5146 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5146 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5012 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5012 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5012 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4F20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4F20 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4F20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DE5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2214631362-1243132721-854794919-1423947988 Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 840097C2-B331-4A18-A722-F332D4B8DF54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE25C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE25C3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE25C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:33 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0A94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:32 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0A94 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0A94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:32 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBC4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA498 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA498 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD81B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8682 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8682 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8539 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8539 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8539 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8389 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8389 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8389 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD81B9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-124727238-1309133890-3659142066-3636009994 Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD81B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 076F2FC6-CC42-4E07-B213-1ADA0A1CB9D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:24 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0xD6E3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50111 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:23 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xD6E3B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:23 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xC5315 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C06 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:20 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD5A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC945 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC945 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC945 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBADB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBC4F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBC4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBF0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:13 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBA2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBBA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBADB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2870943532-1287898479-210048422-685964330 Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCBADB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB1F1F2C-C56F-4CC3-A615-850C2AFCE228 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB836 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB836 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB836 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCA825 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCA825 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCA825 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC96D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:11 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9955 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9866 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9866 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9866 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC981D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC981D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC981D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC96D7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3767524410-1167813940-1526614155-3415222086 Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC96D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E08FDC3A-6D34-459B-8B48-FE5A462790CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:10 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon ID: 0xC5315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0A07352-B46F-AFBB-1975-E8167A4C7B14} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.10 Source Port: 50104 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: Administrator Account Domain: CBCI-801714-3 Logon ID: 0xC5315 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:17:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBE4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBE4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBE4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBAA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBAA4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBBAA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:53 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC61 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC61 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC3D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAFC3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA927 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA926 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAC0AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABABC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABAAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABABC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABABC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABAAE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xABAAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB428 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB427 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB427 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB428 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB427 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAB428 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA926 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1178575449-1245963763-1028940969-1410174671 Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA926 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 463FA259-E5F3-4A43-A964-543DCF8E0D54 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA927 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3195073898-1286092709-3122915732-2031041300 Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAA927 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE70F56A-37A5-4CA8-94E9-23BA143B0F79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:16:44 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:15:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:15:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:15:04 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x25467 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1280 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:14:54 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:14:05 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: administrator Account Domain: CBCI-801714-3 Logon ID: 0x6C04E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: administrator Account Domain: CBCI-801714-3 Logon ID: 0x6C04E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9810E59C-2216-BBEF-588D-55C1C20D50F9} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-801714-3 Logon GUID: {9810E59C-2216-BBEF-588D-55C1C20D50F9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:48 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:45 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: administrator Account Domain: CBCI-801714-3 Logon ID: 0x54565 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3653548240-3450974021-2066483637-500 Account Name: administrator Account Domain: CBCI-801714-3 Logon ID: 0x54565 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDB265BD-C4F2-7D52-217E-5EA21BAC9041} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-801714-3 Logon GUID: {FDB265BD-C4F2-7D52-217E-5EA21BAC9041} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:43 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x4E736 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x4E736 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {19060679-86BF-0C18-47E6-9B01FF86FB15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x4E736 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon GUID: {FACCFC61-AA71-DE1D-8928-900A0D6C43B8} Target Server: Target Server Name: n-h1-801714-3$ Additional Information: n-h1-801714-3$ Process Information: Process ID: 0x1390 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x4CC42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x4CC42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873104E5-DD66-9A5C-0E5B-5172C4A12180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x4CC42 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:35 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x301E4 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:30 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3F7E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3F7E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C02BF80A-EA7C-0B54-E4A0-29E2D5D50AE5} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3F7E5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon GUID: {16B344C2-3809-EADE-6A5F-0A31153BB2D6} Target Server: Target Server Name: n-h1-801714-3$ Additional Information: n-h1-801714-3$ Process Information: Process ID: 0x138c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3D44E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x3D44E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873104E5-DD66-9A5C-0E5B-5172C4A12180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3D44E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:25 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:19 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x35B73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:16 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x35B73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {669FA032-1A3C-999C-9A06-49FD2AF82EF7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x35B73 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon GUID: {BFA66C9E-6371-8FA6-0445-56AA7F8E099C} Target Server: Target Server Name: n-h1-801714-3$ Additional Information: n-h1-801714-3$ Process Information: Process ID: 0xba4 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x25467 Account Modified: Account Name: S-1-5-21-3653548240-3450974021-2066483637-500 Access Granted: Access Right: SeServiceLogonRight	4717	0		0	13569	0	-9214364837600034816	14352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:16 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x301E4 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x301E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-f738-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3	4724	0		0	13824	0	-9214364837600034816	14348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 11:13:12 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Process Information: Process ID: 0xa14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Process Information: Process ID: 0xa14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	844	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:12 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2831F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x2831F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {873104E5-DD66-9A5C-0E5B-5172C4A12180} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x2831F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x97c Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x25467 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x25467 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:06 AM	562c38ae-878f-0001-f338-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d72e6b5ebf45808ddbe097924a892667_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Domain: Domain Name: N-H1-801714-3 Domain ID: S-1-5-21-1063320486-3773702756-614776561 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	14328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:05 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1C653 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1C653 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9BEA32F6-7431-B136-614A-016EC948210D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1C653 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1BB68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3.LOCAL Logon ID: 0x1BB68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9BEA32F6-7431-B136-614A-016EC948210D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x1BB68 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:03 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x170B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	852	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	2160	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x15296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0000-cb38-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:02 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5fc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	536	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x358 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T11:13:01.169937500Z New Time: ?2021?-?08?-?02T11:13:01.512000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:01 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xCABC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	14276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xCA88 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xCABC Linked Logon ID: 0xCA88 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xCA88 Linked Logon ID: 0xCABC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	880	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	884	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:13:00 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: CBCI-801714-3 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	888	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:59 AM	562c38ae-878f-0005-b238-2c568f87d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x663C	4902	0		0	13568	0	-9214364837600034816	14263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	856	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	816	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	14261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	812	816	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	14249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3.cbci-801714-3.local		8/2/2021 11:12:54 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5ac Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T11:12:44.614013700Z New Time: ?2021?-?08?-?02T11:12:44.605000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1884	n-h1-801714-3		8/2/2021 11:12:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x6D7353 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:44 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x6D7353 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:44 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:44 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:44 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	14243	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1444	1684	n-h1-801714-3		8/2/2021 11:12:44 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Member: Security ID: S-1-5-21-3653548240-3450974021-2066483637-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Member: Security ID: S-1-5-21-3653548240-3450974021-2066483637-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4256	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:40 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: LDAP/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.55 Port: 49667 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:39 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {876E8DA4-37BD-6AA9-A13A-CCFC8D3FE4A3} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: ldap/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:39 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801714-3.LOCAL Logon GUID: {876E8DA4-37BD-6AA9-A13A-CCFC8D3FE4A3} Target Server: Target Server Name: n-ad-801714-3.cbci-801714-3.local Additional Information: cifs/n-ad-801714-3.cbci-801714-3.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.55 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:39 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x115c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 11:12:24 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:48:00 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:48:00 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:32:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:32:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x1320 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:32:35 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x550 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:32:34 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x1304 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:32:34 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:30 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1299FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:30 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:30 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:30 AM	bb2e2a0b-8788-0002-082c-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:25 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:25 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x116ED2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:24 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x116ED2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:24 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:24 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:29:24 AM	bb2e2a0b-8788-0000-a12e-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1116F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:29:21 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x1116F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:29:21 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:29:21 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:29:21 AM	bb2e2a0b-8788-0003-882c-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3	4724	0		0	13824	0	-9214364837600034816	14208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:28:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 10:28:43 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:28:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC User: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3 Process Information: Process ID: 0x8cc Process Name: C:\Windows\System32\net1.exe	4798	0		0	13824	0	-9214364837600034816	14206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:28:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:28:31 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8004b611-20d0-485d-a5b1-623737bae804 Operation: Write persisted key to file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016	5061	0		0	12290	0	-9218868437227405312	14197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:27:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:59 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5ac Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T10:26:57.341798200Z New Time: ?2021?-?08?-?02T10:26:57.336000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3		8/2/2021 10:26:57 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:52 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x897AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:52 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:52 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:52 AM	bb2e2a0b-8788-0000-192c-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x88C13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:51 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x88C13 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x88C13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0001-8c2a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1ec7acc4-9d0e-40da-9128-94ba1f17133b Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d72e6b5ebf45808ddbe097924a892667_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:51 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3	4724	0		0	13824	0	-9214364837600034816	14177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:48 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 10:26:48 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:48 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:48 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:48 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:48 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:45 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:45 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:44 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Member: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x73062 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Logon ID: 0x73062 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x51c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:42 AM	bb2e2a0b-8788-0003-682a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3	4724	0		0	13824	0	-9214364837600034816	14163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:37 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 10:26:37 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:37 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3	4722	0		0	13824	0	-9214364837600034816	14161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:37 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 New Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: Admin Account Domain: N-H1-801714-3 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -	4720	0		0	13824	0	-9214364837600034816	14160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:37 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Member: Security ID: S-1-5-21-1063320486-3773702756-614776561-1001 Account Name: - Group: Security ID: S-1-5-21-1063320486-3773702756-614776561-513 Group Name: None Group Domain: N-H1-801714-3 Additional Information: Privileges: -	4728	0		0	13826	0	-9214364837600034816	14159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:37 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x555D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xf14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0003-612a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3	4724	0		0	13824	0	-9214364837600034816	14155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 10:26:11 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Process Information: Process ID: 0xf14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Process Information: Process ID: 0xf14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:11 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-801714-3 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x24c Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4625	0		0	12544	0	-9218868437227405312	14151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:08 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3 Process Information: Process ID: 0xc2c Process Name: C:\Windows\System32\LogonUI.exe	4798	0		0	13824	0	-9214364837600034816	14150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:08 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:08 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:26:08 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:04 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:04 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9a4 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9a4 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:03 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:02 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:02 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:02 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8004b611-20d0-485d-a5b1-623737bae804 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:26:02 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:01 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon ID: 0x2B643 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801714-3 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:01 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-801714-3 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:01 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801714-3 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:26:01 AM	bb2e2a0b-8788-0005-5c2a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:59 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:59 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:59 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:58 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2031A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:57 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1088	n-h1-801714-3		8/2/2021 10:25:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4b4 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:56 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T10:25:55.923093400Z New Time: ?2021?-?08?-?02T10:25:56.028000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1304	n-h1-801714-3		8/2/2021 10:25:56 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5c4 Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	14086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1088	n-h1-801714-3		8/2/2021 10:25:55 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:55 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-1063320486-3773702756-614776561-513 Group Name: None Group Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-513 Account Domain: N-H1-801714-3 Old Account Name: None New Account Name: None Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-1063320486-3773702756-614776561-513 Group Name: None Group Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-503 Account Name: DefaultAccount Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-503 Account Name: DefaultAccount Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-501 Account Name: Guest Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-501 Account Name: Guest Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-500 Account Name: Administrator Account Domain: N-H1-801714-3 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801714-3		8/2/2021 10:25:54 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:43 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5AC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB598 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5AC Linked Logon ID: 0xB598 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB598 Linked Logon ID: 0xB5AC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801714-3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801714-3		8/2/2021 10:25:42 AM	bb2e2a0b-8788-0000-122a-2ebb8887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61CD	4902	0		0	13568	0	-9214364837600034816	13983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	868	n-h1-801714-3		8/2/2021 10:25:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	n-h1-801714-3		8/2/2021 10:25:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	n-h1-801714-3		8/2/2021 10:25:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	508	n-h1-801714-3		8/2/2021 10:25:41 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	508	n-h1-801714-3		8/2/2021 10:25:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-801714-3		8/2/2021 10:25:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-801714-3		8/2/2021 10:25:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-801714-3		8/2/2021 10:25:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-801714-3		8/2/2021 10:25:40 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-801714-3		8/2/2021 10:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-801714-3		8/2/2021 10:25:39 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-801714-3		8/2/2021 10:25:37 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3		8/2/2021 10:25:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3		8/2/2021 10:25:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801714-3		8/2/2021 10:25:36 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T10:25:27.937900800Z New Time: ?2021?-?08?-?02T10:25:27.928000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:25:27 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13967	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1304	1600	WIN-5T344G8GM1H		8/2/2021 10:25:27 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:23 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:23 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:08 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/2/2021 10:25:08 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:08 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xaf8 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:08 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1063320486-3773702756-614776561-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xaf8 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:25:08 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3b4 Process Information: Process ID: 0x4a4 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	13960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H		8/2/2021 10:24:43 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:37 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:37 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	13957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:33 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x63373 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:33 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:33 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:33 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	860	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	13945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	472	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:32 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:31 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:31 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x518 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?02T10:24:30.655366300Z New Time: ?2021?-?08?-?02T10:24:31.703000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	588	WIN-5T344G8GM1H		8/2/2021 10:24:31 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:30 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:30 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:30 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	888	WIN-5T344G8GM1H		8/2/2021 10:24:30 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:23 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:23 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57674 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57662 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57674 Linked Logon ID: 0x57662 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57662 Linked Logon ID: 0x57674 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:22 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:21 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:21 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:21 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	892	WIN-5T344G8GM1H		8/2/2021 10:24:21 AM	8182a7a4-8788-0005-aba7-82818887d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x500EB	4902	0		0	13568	0	-9214364837600034816	13918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	WIN-5T344G8GM1H		8/2/2021 10:24:21 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	WIN-5T344G8GM1H		8/2/2021 10:24:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	WIN-5T344G8GM1H		8/2/2021 10:24:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	WIN-5T344G8GM1H		8/2/2021 10:24:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	WIN-5T344G8GM1H		8/2/2021 10:24:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:24:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	472	WIN-5T344G8GM1H		8/2/2021 10:24:03 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H		8/2/2021 10:24:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:24:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:24:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/2/2021 10:24:00 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1980	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13901	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1144	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.	4647	0		0	12545	0	-9214364837600034816	13900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:48:12 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe	4798	0		0	13824	0	-9214364837600034816	13890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E3	1102	0		4	104	0	4620693217682128896	13887	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1136	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Log clear	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]